LockerGoga cyber attack was a wake-up call: Johansmeyer, PCS

The LockerGoga ransomware attack was a wake-up call for the insurance and reinsurance industry and underlines the complex, emerging, and fast-moving nature of cyber risk, according to Property Claim Services (PCS) Co-Head, Tom Johansmeyer.

LockerGoga is the strain of ransomware behind the recent Norsk Hydro cyber attack, as well as multiple attacks on other industrial and manufacturing targets.

Unlike more common types of ransomware, which typically encrypt some files on a machine but otherwise leaves it running, LockerGoga seemingly aims to maximise disruption, shutting down computers entirely, locking out their users, and rendering it difficult for victims to even pay the ransom.

At the same time, the fact the industrial sector was hit also makes this attack particularly unusual, and highlights the constantly evolving and ever-complex cyber risk landscape.

“I’ll be the first to admit that LockerGoga was a wake-up call. Impacting the industrial sector in the first quarter of 2019, this ransomware has led to at least one PCS®-designated global cyber event, and we’re watching five other companies for potential affirmative or non-affirmative claims related to the attack.

“Though smaller, in a lot of ways it looks and smells a little like NotPetya – in terms of global insurance industry impact,” said Johansmeyer, speaking with Reinsurance News.

According to Johansmeyer, what makes LockerGoga both alarming and noteworthy, is the fact sector is more important than size. Ultimately, a cyber catastrophe event simply wasn’t expected in the industrial sector.

“In fact, when talking through target-rich sectors with clients, I used to joke that no self-respecting nerd wakes up in the morning and says, ‘I’m going to bring the heavy industrial sector to its knees’.

“Of course, LockerGoga has shown us otherwise. More proof that cyber is new and emerging and fast-moving – all the things the global reinsurance industry has been saying about cyber for the last several years,” said Johansmeyer.

He continued to explain that so far, the insurance impact from LockerGoga has been fairly limited, but PCS Global Cyber has designated the Norsk Hydro affirmative cyber loss.

Previously, Johansmeyer told our sister publication, Artemis that it had started to investigate the ransomeware attack. For a cyber event to qualify for designation under PCS Global Cyber, it must generate a re/insured loss of at least $20 million.

“We’re aware of five other companies impacted by LockerGoga, spanning the United States and Europe. It’ll take time to see if they were affected sufficiently to warrant a claim of any kind—and what sorts of covers are in place.

“Even a fairly contained loss to property programs, though, could push the industry loss to our threshold of US$250 million, making LockerGoga the second PCS-designated cyber catastrophe event, behind Petya/NotPetya.”

Like Petya/NotPetya, the recent LockerGoga attack caused significant business interruption, and it’s expected that this will make up a sizeable portion of any eventual insurance or reinsurance industry loss.

The re/insurance industry loss for Petya/NotPetya was somewhere around the $3.3 billion mark, which was largely driven by so-called silent cyber losses.

“Looking back to NotPetya, the bulk of the projected insured loss (more than 80 per cent) came from property programmes that didn’t fully or effectively exclude cyber. Following the event, there was doubtless a tightening of terms and conditions across the market, but the risk always remains that not everything was remedied.

“Original insureds that appear unlikely to be vulnerable to a cyberattack – or that seem unlikely to be targeted – may not always undergo a post-industry loss wordings remediation, which could have implications for a future cyberattack,” explained Johansmeyer.

But does a $250 million insured loss, or even one of $500 million or $1 billion, actually matter that much?

“Big picture, probably not. US$250 million isn’t even a large single-risk marine loss, let alone a catastrophe. With LockerGoga, it’s more about the circumstances. For industrials to get hit, the playing field for cyber catastrophe seems to have gotten wider. The notion of high-profile targeting becomes less important than it was a few months ago and there’s a greater sense that anyone – or any peer group – could get hit.

“A risk landscape dominated by supply chain, media, and financials was the norm, but LockerGoga could change that. Insurers and reinsurers thus have a wider scope for cyber catastrophe, and it’s one that could be complicated by the types of cover involved.

“The best move, of course, is to identify and adjust terms to reflect the intent of the coverage buyer and protection seller. However, that takes time, and market pressures are always a factor.

“As a result, risk transfer needs to play a role in managing risk and capital post-event, particularly if cyber catastrophe risk is more widespread than anticipated. With non-affirmative cyber risk difficult to quantify, industry loss warranties (ILWs) could be particularly effective in hedging the unknown,” said Johansmeyer.